Sunday, May 3, 2015

SourceFire IPS - Understanding Inline Deployments

Understanding how your SourceFire Sensors (or any other IPS for that matter) are deployed is very important to the results you can expect from the device(s).

In this post, I will focus on providing clarity on some of the things you should be aware of when configuring your SourceFire IPS to be inline.

First off let's understand what is meant by inline deployment. In an inline deployment, the IPS device sits between two network devices. Typically, this would be a perimeter firewall which connects the internal network to the Internet and an internal device such as a switch which connects the devices in the local LAN to the perimeter firewall as shown below.In the diagram above, the eth0 and eth1 on the sensor forms an inline pair through which the traffic will flow between the switch and the firewall. This is the first step in a successful inline deployment.

Now that our device is inline, we need to configure our IPS Intrusion Policy to "Drop When Inline"Final step is to select the relevant rule and ensure "Drop and Generate Events" is specified for the ruleBelow shows the options available for configuring rule state. Below shows an example of a rue which has been configured to "Drop and Generate Events". Note the red "X" at the end.

As this post has shown, to truly achieve IPS functionality, you need to not only have your device inline but also to configure both the policy and the rules.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis